Months ago, news broke about a group of hackers who called themselves The Shadow Brokers. They stole weaponized NSA cyberwarfare software from the Equation Group, a group that originally stole the software from the NSA. The Shadow Brokers made several attempts at selling the software but repeatedly failed. Motherboard reported that the group disappeared, for the most part.
That is, until now. Joseph Cox found a post on Medium that pointed straight towards a site where The Shadow Brokers were selling the NSA’s software. The site sits on the “ZeroNet,” a web platform that rides on the BitTorrent network and utilizes Bitcoin cryptography. On their ZeroNet site, The Shadow Brokers (TSB) listed the files and tools on what appeared to be a person-by-person basis. “YOU LIKE. YOU EMAIL. YOU BUY,” was written underneath the group’s ZeroNet name.
The group that initially hacked and stole the NSA software, according to Kaspersky Lab’s Global Research & Analysis Team, was “The Death Star of Malware Galaxy.” To security researchers, there is no doubt that something connects the Equation Group to the NSA. Some claimed that the Equation Group (EG) was the NSA. Some claimed EG was a group of Russian hackers. “Many infections have been observed on servers, often domain controllers, data warehouses, website hosting and other types of servers,” Kaspersky Lab’s researchers reported. “At the same time, the infections have a self-destruct mechanism, so we can assume there were probably tens of thousands of infections around the world throughout the history of the Equation group’s operations.”
Kaspersky Labs, Edward Snowden, and Claudio Guarnieri–one of the primary investigators of NSA malware—saw similarities between US intelligence and EG. One of the most important discoveries was that of the “Fanny worm.” The Fanny Worm used two zero-day exploits before they integrated into Stuxnet. The internet world almost unanimously agrees that the US and Israel created Stuxnet to end Iran’s nuclear program. Fact or fiction–that makes no impact on Kaspersky Lab’s findings that strongly indicate the developers of Stuxnet and the developers of the Fanny Worm worked in coordination.
The Shadow Brokers appeared to set up shop on the ZeroNet. As mentioned before, the ZeroNet utilizes BitTorrent and Bitcoin technology. “Your account is protected by same cryptography as your Bitcoin wallet,” the ZeroNet landing page explains. “You can easily hide your IP address using the Tor network.” Configuring ZeroNet to work in conjunction with Tor is explained in the FAQ and, at least on Windows, Tor is bundled with ZeroNet.
On TheShadowBrokers.bit, “Message #6” explains”
TheShadowBrokers is trying auction. Peoples no like. TheShadowBrokers is seeking to crowdfund. Peoples is no liking. Now TheShadowBrokers is trying direct sales. Be checking out ListOfWarez. If you like, you email TheShadowBrokers with the name of Warez you want to make a purchase. TheShadowBrokers is emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. Files as always being signed.
They have currently posted 60 listings; the screenshot for each listing is available in a .zip file. The prices start at a single bitcoin for “tools” but quickly increase in price. The entire “auction” is available for the mediocre sum of 1,000BTC.
The screenshot for charms:
The screenshot for dampcloud:
Cox reached out to The Shadow Group for comment but received no response. The NSA, apparently, ignored his questions as well.